ITEC1420_Chapter 4-2.pptx

Full Transcript

Using Contacts and Distribution
Groups
A contact is an Active Directory object that
usually represents a person for informational
purposes only.
Most common use of a contact is for integration
into Microsoft Exchange’s address book.

A distribution group is used with Microsoft
Exchange to send e-mails, but to several people at
once.

Public 1
© Cengage Learning 2015
 Managing Group Accounts
Active Directory group objects are the main security
principal administrators use to grant rights and
permissions to users.
Groups are easier to manage
– Users with similar access requirements to resources can
be made members of a group
When a group is created in ADUC, aside from
assigning a name, there are two other settings :
– Group type
– Group scope

Public 2
© Cengage Learning 2015
 Group Types
There are two group types: security and distribution
A distribution group is used to group users together
– Mainly for sending e-mails to several people at once with
an AD integrated e-mail application, such as Microsoft
Exchange
Can have the following objects as members:
– User accounts
– Contacts
– Other distribution groups
– Security groups
– Computers

Public 3
© Cengage Learning 2015
 Group Types
Security groups are the main AD object
administrators use to manage network resource
access and grant rights to users

Can contain the same types of objects as distribution
groups

Public 4
© Cengage Learning 2015
 Group Scope
Group scope determines the reach of a group’s
application in a domain or a forest
Three group scope options are possible in a
Windows Server 2012 forest:
– Domain local
– Global
– Universal
A fourth scope called “local” applies only to groups
created in the Security Account Manager (SAM)
database of a member computer or stand-alone
computer

Public 5
© Cengage Learning 2015
 Domain Local Groups
A domain local group is the main security principal
recommended for assigning rights and permissions
to domain resources.
In a single domain environment, or when users from
only one domain are assigned access to a resource,
use AGDLP Role based Strategy
– Accounts are made members of
– Global groups, which are made members of
– Domain Local groups, which are assigned
– Permissions to resources

Public 6
© Cengage Learning 2015
Public 7
© Cengage Learning 2015
 Global Groups
A global group is used mainly to group users
from the same domain with similar access or
rights requirements
– Considered global because it can be made a
member of a domain local group in any domain in
the forest or trusted domains in other forests
A common use is creating a global group for
each department, location, or both

Public 8
© Cengage Learning 2015
 Universal Groups
A universal group can contain users from any
domain in the forest and be assigned permission
to resources in any domain in the forest.

Universal groups can be a member of other
universal groups or domain local groups from any
domain in the forest.

Universal groups’ membership information is stored
only on global catalog servers.

Public 9
© Cengage Learning 2015
 Local Groups
A local group is created in the local SAM database on a
member server or workstation or a stand-alone computer
When a computer joins a domain, Windows changes the
membership of two local groups automatically:
– Administrators - Domain Admins global group is made a member
– Users - Domain users global group is made a member
Local groups can have the following account types as
members:
– Local user accounts
– Domain user accounts and computer accounts from any domain in the
forest
– Domain local groups from the same domain
– Global or universal groups from any domain in the forest

Public 10
© Cengage Learning 2015
 Nesting Groups
Nesting groups - making a group a member of another
group.
Usually used to group users who have similar roles but
work in different departments.

Public 11
© Cengage Learning 2015
 Creating Computer Accounts
Computer accounts are created in Active Directory
when a client computer becomes a member of a
domain.
A computer account is a security principal with an SID
and a password and must authenticate to the domain
Computer accounts are created in AD two ways:
– A user changes the computer membership from
Workgroup to Domain in the System Properties
dialog box
Joining the domain and account is created
automatically
– An administrator creates the account manually in
Active Directory
Public 12
© Cengage Learning 2015
Figure 7-23 Creating a computer account

Public 13
© Cengage Learning 2015
 Managing Computer Accounts
It may be necessary to reset a computer account
– If the computer account has become
unsynchronized with the domain controller

Public 14
© Cengage Learning 2015
 Disabling Computer Accounts
When a computer leaves the domain, its
computer account is disabled automatically
You might need to disable a computer account
manually if the computer won’t be in contact with
the domain controller for an extended period

Public 15
© Cengage Learning 2015
 Summary
OUs can be designed to mirror a company’s
organizational chart
OU permissions and permission inheritance work much
the same way as they do in the file system
User accounts provide a way for users to authenticate to
the network and contain user information that can be
used in a company directory
ADUC and ADAC are GUI tools for creating and
maintaining user accounts
User templates facilitate creating users who have some
attributes in common, such as group memberships

Public 16
© Cengage Learning 2015
 Summary
This chapter covers the user account properties in the
General, Account, Profile, and Member Of tabs.
Groups are the main security principal used to grant rights
and permission.
There are three group scopes in AD: domain local, global,
and universal.
Computer that are domain members have computer
accounts in AD.
Computer accounts are created automatically when a
computer joins a domain or manually by an administrator.

Public 17
© Cengage Learning 2015